I have tried a few different approaches but none of them were 100% reliable. I tried subscribing to the ES_EVENT_TYPE_NOTIFY_SETEXTATTR event to detect when a process sets the kMDItemWhereFroms attribute on a file, but the problem is that any process can set that attribute on any file. For example, I can use the xattr -w com.apple.metadata:kMDItemWhereFroms "https://example.com" SampleFile.txt command into the terminal and that would trigger an ES event. I also tried to listen for the com.apple.quarantine attribute but for some reason my ES client never receives an event for it, also, as with any attribute, this attriubte can be set manually by any process. Is there a recommended/reliable way to have an ES client that detects a file has been downloaded from the internet (.i.e. a remote network)?

Hello, I'm developing a Transparent Proxy and I noticed that the Network Extension Framework logs in the Unified Logging System when my profile receives a flow, its source application, its destination endpoint, and my profile's decision regarding that flow. I worry that this may compromise the user's privacy. So is there a way that I can turn off these logs at least in Distribution Configurations?